CVE-2026-36340: Krayin CRM allows a remote attacker to execute arbitrary code via compose email function

April 30, 2026 (updated May 7, 2026)

An issue in Krayin CRM v.2.1.5, which was fixed in v.2.1.6 allows a remote attacker to execute arbitrary code via the compose email function.

References

drive.google.com/file/d/1yBdvbrXGf9fsFckmK9zTe2v8_vDtdicH/view
github.com/advisories/GHSA-32px-ccfx-cxq3
github.com/cybercrewinc/CVE-2026-36340
github.com/krayin/laravel-crm
github.com/krayin/laravel-crm/releases/tag/v2.1.6
nvd.nist.gov/vuln/detail/CVE-2026-36340

Code Behaviors & Features

Detect and mitigate CVE-2026-36340 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →